restricting DHCP flooding on CISCO 2960 switch

Unanswered Question
Aug 7th, 2008
User Badges:

We are one of the service providers having both static IP and DHCP customers... One of the BTS sites we have deployed a cisco 2960 switch to which BTS is connected through which DHCP customers connect..On the same switch a few static IP customers also terminate(Point to Point radio)... In one case a static IP customer terminated our link to his LAN port of the router in stead of the WAN port by mistake and our DHCP customers started getting IPs from his IP Pool... Is there anyway we can prevent this on the switch port on which the static ip customer terminates...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Thu, 08/07/2008 - 22:46
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

u can preven this by useing DHCP snoopng


just enable it golbaly

then

enter this command on each interface that u dont want it to offer DHCP

and enter this command with the word TRUST to each port connected to a DHCP server

in other word any oport configured with DHCP snoorping will be untrusted port so will not accept DHCP offres through it


while when u add the word "trust" to that command on the port level here u r trusting this port and accepting DHCP offers

Important:

make each port connect to DHCP server ( imean servers u want use) as dhcp snooping trust

also this command should be entered on ports or trunks connecting switches


all other ports

not trusted

dhcp snooping


also u can limit the rates for more advnced security

also this link good refrence

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/dhcp.html

good luck

please, if helpful rate

Actions

This Discussion